336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9

Analysis

max time kernel
76s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2022, 08:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe
Size

650KB
MD5

76b4e8fd43ebdde673e0277f36e9c997
SHA1

c4e3e42fc9ca0ca57dbe6ee154c87f283f8f51d7
SHA256

336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9
SHA512

7787d8bb7a756c1053d1f4940298faefc9aadc4172c77eaf548c55346d97919cd210a8823746a81d6e828fa67c459910d29a7dfbb7557e8ab91ea1f2c8d51790
SSDEEP

12288:WXwOrReFWQFL6XRZjgWY0dxTU2/kgPc7MDHEvrReRLCg42Gk:WXwOrRs/6BZxdZ/E7wHEvrZ2Gk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3916	Ecut_6_hosts.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4344	336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 3916	4344	336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe	88
PID 4344 wrote to memory of 3916	4344	336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe	88
PID 4344 wrote to memory of 3916	4344	336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe	88

C:\Users\Admin\AppData\Local\Temp\336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe
"C:\Users\Admin\AppData\Local\Temp\336e0c431638a77f269759f4bac4bb85011a5746ef88aea448f223357a5a2fd9.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecut_6_hosts.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecut_6_hosts.exe"
  2⤵
  - Executes dropped EXE
  PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecut_6_hosts-0.bin

Filesize
65KB

MD5
2b65af580aa7e4caf1994a49898a779d

SHA1
b8767cc3993647b9aad172ec9c4202d2e938965b

SHA256
798305104c4b0cb8838e8c6ebc25e4b162a50f7a24e70b4deb9a6b24389b6665

SHA512
ee55115041dee16c93f598ad061e0e313df6baef1560e5f47901e041e4911ebe7c8756f4e085d47f27ccf3d1be238a2e0c789a03269e471f7556170cedd7a9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecut_6_hosts.exe

Filesize
1.2MB

MD5
01e9893d4116fe83073aeaf6656e00bd

SHA1
b370cf7e47eb42f252cf2805d93cb8b89af31c5e

SHA256
d072bab4539638fc2a54ee501ff85565a070b8f8117990ee42bf2b5262a41c76

SHA512
1976ffa8fe910ef997c00f945ffc7299adad52021686f787c3066a38d6403b01531c5f20a46bd611971ce1a0eb409966011e804f87b02334e839adb2732dc3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ecut_6_hosts.exe

Filesize
1.2MB

MD5
01e9893d4116fe83073aeaf6656e00bd

SHA1
b370cf7e47eb42f252cf2805d93cb8b89af31c5e

SHA256
d072bab4539638fc2a54ee501ff85565a070b8f8117990ee42bf2b5262a41c76

SHA512
1976ffa8fe910ef997c00f945ffc7299adad52021686f787c3066a38d6403b01531c5f20a46bd611971ce1a0eb409966011e804f87b02334e839adb2732dc3af

Download Submit